ldap
play

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 - PowerPoint PPT Presentation

Apr 22, 2023 •467 likes •544 views

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

  1. What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP Getting Started with LDAP for small Apache Directory Server and large setups. Sun Java System Directory (SunONE/iPlanet/Netscape) Novell eDirectory Microsoft Active Directory many others... What is a directory... What can be stored in LDAP Directory is a tree of entries Basically anything you can think of Basic operations: Mostly used for: Search User accounts and group related data Compare Phone and address book Add Mail accounts Modify Configuration data for various systems Delete Other examples: Optimized for quick access, read performance Sudo configuration LDAP server can serve multiple trees Evolution Addressbook Schema's define and describe the contents of the directory Bitlbee configuration and buddy-list Collection of Attributes and Classes: CUPS configuration Syntax ... Globally unique Object Identifiers (ASN.1)

  2. Example LDAP Data A sample schema ... attributetype ( 1.3.6.1.4.1.15953.9.1.5 LDAP data is usually presented in LDIF (LDAP Data NAME 'sudoOption' Interchange Format). DESC 'Options(s) followed by sudo' dn: o=Snow, c=nl EQUALITY caseExactIA5Match o: Snow SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # IA5String (7-bit ascii) objectclass: organization dn: cn=Mark Janssen, o=Snow, c=nl cn: Mark Janssen objectclass ( 1.3.6.1.4.1.15953.9.2.1 sn: Janssen NAME 'sudoRole' SUP top STRUCTURAL mail: m.janssen@snow.nl DESC 'Sudoer Entries' objectclass: person MUST ( cn ) MAY ( sudoUser $ ... $ sudoCommand $ ... $ sudoOption $ description ) ) ... OpenLDAP Building OpenLDAP Open source LDAP directory (slapd), interface library Requirements: (libldap, liblber) and client utilities (ldapadd, ldapsearch, BerkeleyDB 4.7 ldapmodify, etc) OpenSSL Open Source / Free Software, basically BSD-style license Configure: ./configure --with-tls=openssl --enable-overlays -- (OpenLDAP License) enable-crypt --enable-modules --enable-monitor -- Front-end server (ldap interface) with various back-ends: prefix=/opt/openldap --enable-syslog --enable-proctitle -- Storage backend (bdb,hdb, mysql, ldif) without-subdir Proxy backends (passwd, ldap, sql, ...) Installing Misc/Dynamic (config, monitor, perl, null, ...) Gathering additional schema's Overlay support http://web.singnet.com.sg/~garyttt/solaris.schema.txt Change presentation of data http://www.sudo.ws/cgi- Logging bin/cvsweb/~checkout~/sudo/schema.OpenLDAP? Custom stuff rev=1.3 Kernel-like versioning, current stable versions 2.2 and 2.4 Or use you distro-provided package if available

  3. Server configuration: slapd.conf slapd.conf database bdb include schema/core.schema suffix "dc=company,dc=nl" include schema/cosine.schema rootdn "cn=Manager,dc=company,dc=nl" include schema/nis.schema Include schema definitions include schema/solaris.schema rootpw {SSHA}PassWordHash include schema/ppolicy.schema SSL configuration include schema/duaconf.schema # Indices to maintain ACL's include schema/sudo.schema Database definition index objectClass,uid,uidNumber,index \ # TLS Certificate gidNumber,ou eq Indexes TLSCACertificateFile cacert.pem index cn,mail,surname eq,subinitial Overlays TLSCertificateFile servercrt.pem index memberUid eq TLSCertificateKeyFile server.key index nisDomain eq Sizing/Tuning TLSVerifyClient never index uniqueMember pres # ACL's # OVERLAY definitions: access to * overlay ppolicy by self read ppolicy_default "cn=default, by * read ou=policies, dc=company,dc=nl" password-hash {SSHA} Loading initial content Interacting with your directory dn: dc=company,dc=nl dn: cn=proxyagent,ou=People,... associatedDomain: company.nl userPassword:: PASSWORDHASH dc: company objectClass: top objectClass: top objectClass: person Command-line tools (ldapsearch, ldapadd, ldapmodify) objectClass: dcObject sn: proxyagent LBE: Ldap Browser and Editor (missing in action) objectClass: domain cn: proxyagentdn: cn=Manager, dc=company,dc=nl objectClass: domainRelatedObject Apache Directory Studio: http://directory.apache.org/studio/ userPassword:: PASSWORDHASH objectClass: nisDomainObject objectClass: person nisDomain: company.nl objectClass: top o: Your Company Namedn: sn: Manager ou=People,dc=company,dc=nl cn: Manager ou: People $ ldapadd -D binddn -w secret \ objectClass: top -b dc=company,dc=nl -f initial.ldif objectClass: organizationalUnit dn: cn=Users,ou=Group,dc=com... gidNumber: 1000 objectClass: top objectClass: posixGroup cn: Users

  4. Access control considerations Based on first match Specify subtree and/or attributes Rights: None/Auth/Read/Write User specifier: Wildcard, Anonymous, Self or specified. Allow access to public data Limit access to sensitive data Disallow access to private data Allow users to modify some fields (contact info) Allow system-tools access to posix account fields Apache Directory Studio ACL Examples Client configuration - generic/linux Generic access to dn.subtree="ou=People,dc=domain,dc=tld" \ Limit access to fields Install pam-ldap and nss-ldap attrs=userPassword,shadowLastChange place your cacert.pem file and certificates in /etc/ldap/ userPassword and by dn="cn=proxyagent,ou=profile,dc=domain,dc=tld" write edit pam.conf, nsswitch.conf, /etc/ldap/ldap.conf shadowLastChange by dn="cn=webagent,ou=profile,dc=domain,dc=tld" auth Red Hat Enterprise 4 or 5 by self write pre-populate /etc/ldap.conf with binddn and bindpw values (can't by anonymous auth specify these in config-tool yet) by * read Prevent users from authconfig or system-config-authentication access to attrs=uid,uidNumber,gidNumber,memberUid changing their unix Check 'Use LDAP', 'Use TLS', specify server/basedn by * read account rights Check 'Cache Information' (enable nscd) Check 'Use LDAP Authentication' and 'Local autentication is sufficient' access to dn.subtree="ou=SUDOers,dc=domain,dc=tld" Limit a tree to a specific Further ldap.conf, pam.conf and nsswitch.conf configuration is done for by dn="cn=sudoagent,ou=profile,dc=domain,dc=tld" read user or authorization. you by authconfig. by * none End-all passthrough rule. access to * by * read

  5. Client configuration - Unix Config files: /etc/(ldap)/ldap.conf Solaris 10 Create or update certificate store binddn cn=proxyagent,dc=domain,dc=tld certutil -N -d /var/ldap bindpw secret certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT base dc=domain,dc=tld Edit /etc/nsswitch.ldap, making sure to change the entries for hosts timelimit 120 and ipnodes to ‘files dns’ ldapclient init -v -a proxyDN=cn=proxyagent,dc=domain,dc=tld -a bind_timelimit 120 proxyPassword=secret -a domainName=domain.tld -a idle_timelimit 3600 profileName=tls_profile ldapserver.domain.tld ldapserver2.domain.tld nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon, Modify pam.conf to support ldap dbus,nscd,gdm AIX 5.3 / 6.1 uri ldap://ldapserver1.domain.tld ldap://ldapserver2 Use gsk7ikm to convert cacert.pem to a keydb Install client binaries (idsldap.clt32bit61.rte, idsldap.clt64bit61.rte, ssl start_tls idsldap.cltbase61.adt, idsldap.cltbase61.rte) tls_cacertfile /path/to/cacert.pem mksecldap -c -h ldapserver1.domain.tld,ldapserver2 -a cn=proxyagent, pam_password md5 dc=domain,dc=tld -p secret -k /path/to/your-keydb.kdb -w keydbpassword -A ldap_auth Config files: /etc/nsswitch.conf Config files: Sample pam config passwd: files ldap # Sufficient samples are included with pam_ldap and pam is hightly # OS/System dependant, this is just an example, don't just start using this. shadow: files ldap # /etc/pam.d/login group: files ldap hosts: files dns #%PAM-1.0 netgroup: files ldap auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so automount: files ldap auth sufficient /lib/security/pam_ldap.so sudoers: files ldap auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass session required /lib/security/pam_unix_session.so

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com http://www.samba.org/~idra What is LDB ? LDB is an LDAP-like database interface LDAP-like data model support LDAP like search expressions but it

1.03k views • 24 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002 andrew.findlay@skills-1st.co.uk Security with LDAP Applications of LDAP White Pages NIS (Network Information System) Authentication

257 views • 15 slides
KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC attributes except for those used to store key data Keys Extension draft: Defines attributes used to store key data Flow of Data to LDAP

798 views • 10 slides
From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg <roland.hedberg@adm.umu.se> The transition -starting point Admin interface LDAP Scripts The transition - toward nirvana Admin interface LDAP Scripts

497 views • 22 slides
Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't need it... We have users ! We have users ! LDAP project phases Initial analysis Development + tests Costs Conformance tests Tests are

501 views • 27 slides
dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit of History Number of systems Own user administra:on system Some users had access

519 views • 10 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP entry Indicate on attendance sheet Announcements Plan for today Its Co-op time Building a software system Orientation

475 views • 3 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail (Cant change in mycourses) Jon, your mail bounced March 17 Lets settle things after class Enter stage left Spacethe final

382 views • 5 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing Welcome to the schema Onion Jasmina Welcome to LDAP [the syntax] Flat tends to be better than hierarchical Feed your LDAP

297 views • 17 slides
Roomy: A System for Space Limited Computations Dan Kunkle Ph.D. Student College of Computer and

Roomy: A System for Space Limited Computations Dan Kunkle Ph.D. Student College of Computer and

Roomy: A System for Space Limited Computations Dan Kunkle Ph.D. Student College of Computer and Information Science Northeastern University Advisor: Gene Cooperman PASCO 10: July 21, 2010 Dan Kunkle Roomy; Space Limited Computation PASCO

932 views • 53 slides
Last class: Paging Today: Virtual Memory Virtual Memory What if programs

Last class: Paging Today: Virtual Memory Virtual Memory What if programs

Last class: Paging Today: Virtual Memory Virtual Memory What if programs require more memory than available physical memory? Use overlays Difficult to program though! Virtual Memory. Supports programs that are

703 views • 39 slides
CSCI [4|6]730 Operating Systems Main Memory Maria Hybinette, UGA Maria Hybinette, UGA Memory

CSCI [4|6]730 Operating Systems Main Memory Maria Hybinette, UGA Maria Hybinette, UGA Memory

CSCI [4|6]730 Operating Systems Main Memory Maria Hybinette, UGA Maria Hybinette, UGA Memory Questions? What is main memory? How does multiple processes share memory space? Key is how do they refer to the memory addresses.

759 views • 31 slides
Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory

Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory

Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory Allocation How to evict pages from memory? (a.k.a when to swap) Page Replacements Algorithms How much memory to give to each process?

516 views • 48 slides
Slab allocators in the Linux Kernel: SLAB, SLOB, SLUB Christoph Lameter, LinuxCon/Dsseldorf

Slab allocators in the Linux Kernel: SLAB, SLOB, SLUB Christoph Lameter, LinuxCon/Dsseldorf

Slab allocators in the Linux Kernel: SLAB, SLOB, SLUB Christoph Lameter, LinuxCon/Dsseldorf 2014 (Revision Oct 3, 2014) The Role of the Slab allocator in Linux PAGE_SIZE (4k) basic allocation unit via page allocator. Allows

750 views • 35 slides
CSCI 3136 Principles of Programming Languages Names, Scopes, and Bindings - 1 Summer 2013

CSCI 3136 Principles of Programming Languages Names, Scopes, and Bindings - 1 Summer 2013

CSCI 3136 Principles of Programming Languages Names, Scopes, and Bindings - 1 Summer 2013 Faculty of Computer Science Dalhousie University 1 / 87 Name A name is a mnemonic character string representing something else: 2 / 87 Name A name is

1.23k views • 87 slides
Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/14/2018 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack extension

555 views • 9 slides
A Distributed Polylogarithmic Time Algorithm for Self-Stabilizing Skip Graphs Christian Decker

A Distributed Polylogarithmic Time Algorithm for Self-Stabilizing Skip Graphs Christian Decker

A Distributed Polylogarithmic Time Algorithm for Self-Stabilizing Skip Graphs Christian Decker Distributed Computing Seminar Christian Decker () Polylog Algorithm for Skip-Graphs Distributed Computing Seminar 1 / 35 Outline Skip Graphs 1

688 views • 44 slides

More recommend